|
I deal with this in my day job as well. Many datacenters will have mitigation appliances such as Arbor Peakflow, Cisco Guards, IntruGuard, etc. For attacks that are throwing garbage to unused ports, you can block these fairly effectively by having your datacenter block these ports at the router. Just ask your datacenter's support for a service such as this, usually their SLA specifies a time limit for how long your site may consume mitigation services for free. Your datacenter will probably start nulling your IP at around 1gbps inbound (varies, might be lower) Some DDoS's are easy to block via iptables- attackers who aren't very clever will have the same UA on all of their bots, and they are easy to block via a combination of tailing your domlogs, and adding bad ips to an iptables listing. Many don't set a user agent, making it much easier. Floods that consist of holding open http server connections for long periods of time can be combated by throwing MaxClients to something large (about 5000) and setting keepalive to something low, like around 5 seconds (if you're using Apache, similar probably holds true for other http servers). You can usually use string blocking via iptables, but these will still hold the connection open until the client times out, and you might have to resort to the above in conjunction (raise MaxClients, etc.). Usually, I try to mitigate via IP addresses before string blocking. Rarely will I see an attack that will require a nullroute upstream. If you're worried about those, you will need to seek professional services. In most cases, you can mitigate at the server level easily. Also, ngrep is your friend. |